5 # Fuzz-testing script for TShark
7 # This script uses Editcap to add random errors ("fuzz") to a set of
8 # capture files specified on the command line. It runs TShark on
9 # each fuzzed file and checks for errors. The files are processed
10 # repeatedly until an error is found.
12 # Tweak the following to your liking. Editcap must support "-E".
17 # This needs to point to a 'date' that supports %s.
19 BASE_NAME=fuzz-`$DATE +%Y-%m-%d`-$$
21 # Temporary file directory and names.
22 # (had problems with this on cygwin, tried TMP_DIR=./ which worked)
24 TMP_FILE=$BASE_NAME.pcap
25 ERR_FILE=$BASE_NAME.err
27 # Loop this many times (< 1 loops forever)
30 # These may be set to your liking
31 # Stop the child process, if it's running longer than x seconds
33 # Stop the child process, if it's using more than y * 1024 bytes
35 # Insert z times an error into the capture file (0.02 seems to be a good value to find errors)
37 # Trigger an abort if a dissector finds a bug.
38 # Uncomment to disable
39 WIRESHARK_ABORT_ON_DISSECTOR_BUG="True"
42 # To do: add options for file names and limits
43 while getopts ":d:p:" OPTCHAR ; do
46 p) MAX_PASSES=$OPTARG ;;
49 shift $(($OPTIND - 1))
51 # set some limits to the child processes, e.g. stop it if it's running longer then MAX_CPU_TIME seconds
52 # (ulimit is not supported well on cygwin and probably other platforms, e.g. cygwin shows some warnings)
53 ulimit -S -t $MAX_CPU_TIME -v $MAX_VMEM
56 ### usually you won't have to change anything below this line ###
58 # TShark arguments (you won't have to change these)
59 # n Disable network object name resolution
60 # V Print a view of the details of the packet rather than a one-line summary of the packet
61 # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
62 # r Read packet data from the following infile
66 for i in "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR" ; do
68 echo "Couldn't find $i"
72 if [ $NOTFOUND -eq 1 ]; then
76 # Make sure we have a valid test set
79 "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1
80 if [ $FOUND -eq 1 ] ; then break ; fi
83 if [ $FOUND -eq 0 ] ; then
85 Error: No valid capture files found.
87 Usage: `basename $0` [-p passes] [-d work_dir] capture file 1 [capture file 2]...
93 if [ $MAX_PASSES -gt 0 ]; then
94 HOWMANY="$MAX_PASSES passes"
96 echo "Running $TSHARK with args: $TSHARK_ARGS ($HOWMANY)"
99 # Not yet - properly handle empty filenames
100 #trap "rm $TMP_DIR/$TMP_FILE $TMP_DIR/$FUZZ_FILE; exit 1" 1 2 15
102 # Iterate over our capture files.
104 while [ $PASS -lt $MAX_PASSES -o $MAX_PASSES -lt 1 ] ; do
105 PASS=`expr $PASS + 1`
111 "$CAPINFOS" "$CF" > /dev/null 2>&1
112 if [ $? -ne 0 ] ; then
113 echo "Not a valid capture file"
119 "$EDITCAP" -E $ERR_PROB "$CF" $TMP_DIR/$TMP_FILE > /dev/null 2>&1
120 if [ $? -ne 0 ] ; then
121 "$EDITCAP" -E $ERR_PROB -T ether "$CF" $TMP_DIR/$TMP_FILE \
123 if [ $? -ne 0 ] ; then
124 echo "Invalid format for editcap"
129 "$TSHARK" $TSHARK_ARGS $TMP_DIR/$TMP_FILE \
130 > /dev/null 2> $TMP_DIR/$ERR_FILE
132 grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
133 > /dev/null 2>&1 && DISSECTOR_BUG=1
134 if [ $RETVAL -ne 0 -o $DISSECTOR_BUG -ne 0 ] ; then
135 FUZZ_FILE="fuzz-`$DATE +%Y-%m-%d`-$$.pcap"
138 echo -e "Processing failed. Capture info follows:\n"
139 mv $TMP_DIR/$TMP_FILE $TMP_DIR/$FUZZ_FILE
140 echo " Output file: $TMP_DIR/$FUZZ_FILE"
141 if [ $DISSECTOR_BUG -ne 0 ] ; then
142 echo -e "stderr follows:\n"
143 cat $TMP_DIR/$ERR_FILE
148 rm -f $TMP_DIR/$TMP_FILE $TMP_DIR/$ERR_FILE